Microsoft 'Gets' Security

If the spate of recent virus scares, Web-site break-ins, and other security violations has taught us anything, it's that the interconnected future will require a more open and responsible attitude toward security and privacy. Although naysayers (e.g., Sun Microsystems CEO Scott McNealy, who last year uttered, "You gave up your privacy a long time ago. Get over it.") abound, securing our personal and corporate data is of first importance as we move into a .NET environment, and we need to plan accordingly.

What the Market Hears
For several years, a perception has persisted that Microsoft doesn't "get" security. The media, which delight in the release of each Microsoft Security Bulletin and Windows-related security miscue, have reinforced this perception. Since the rise of Linux, with its "more secure than NT" mantra, an awareness of security concerns has been growing. Microsoft has taken the brunt of the abuse directed at software makers, who users often perceive as being less than honest about security. As is often the case, the truth is far less damaging than the perception, but Microsoft knows that it must step up to the plate if only because it's the most visible and popular of targets.

What Microsoft Says
Microsoft's take on security and privacy protection is interesting. The company believes that the number one security problem is people, not technology or processes. This point is valid: You can have the right tools and security procedures in place, but human error will get you every time. Such was the case with Microsoft's network break-in last fall. An employee had left an administrator password blank. Retiring Chief Operating Officer (COO) Bob Herbold told a crowd at the University of Washington Business School, "It's not the technology, folks; it's the people. When we trace \[such attacks\] back, it's always human error."

What Microsoft Is Doing
Microsoft's answer for implementing security is Internet Security and Acceleration (ISA) Server 2000, which features an extensible architecture that lets third parties easily add features to the base platform. Extensibility now pervades Microsoft's product line, and this design choice is a good one. At the time ISA Server 2000 shipped, Microsoft listed more than 30 third-party software makers that were implementing add-ons for the product to provide content filtering, intrusion detection and blocking, and similar functions. You can add these features as you need them—you don't have to wait for ISA Server 2002.

Microsoft's Security team publishes its security bulletins through the company's Web site and email newsletters, but the team is trying to make the process of identifying and responding to security problems more formal and expedient. To provide its customers with better security services, Microsoft Security has begun the Microsoft Security Services Partner Program (MSSPP), which currently lists more than 40 partners in its community of consultants. MSSPP partners help corporations ensure that their systems are as secure as possible.

What You Can Do
Any business that implements Windows on the server can benefit from the security resources that many companies provide. For example, the Microsoft Security Web site at http://www.microsoft.com/security has links to the MSSPP, best practices guides, tools, and more. The Windows 2000 Magazine Network includes the Windows IT Security Web site at http://www.WindowsITsecurity.com. Take a look at ISA Server 2000 or other third-party firewall products to see whether they match your needs. Most important, train your employees to understand security and to work within the processes that make sense for your organization. In the end, the weak link will always be an individual, and only through communication, training, and education will you strengthen the chain. Even the most powerful software company in the world has learned this lesson the hard way.